diff --git a/defaults/main.yml b/defaults/main.yml index 9e37302e..41cf5b21 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -389,6 +389,39 @@ security_unattended_upgrades_notifications: false #security_audisp_remote_server: '10.0.21.1' # RHEL-07-030330 # Encrypt audit records when they are transmitted over the network. #security_audisp_enable_krb5: yes # RHEL-07-030331 +# Rules for auditd are enabled if 'yes', disabled if 'no'. See the +# documentation for each STIG control before enabling or disabling any rules. +security_rhel7_audit_account_access: yes # RHEL-07-030492 +security_rhel7_audit_passwd_command: yes # RHEL-07-030510 +security_rhel7_audit_unix_chkpwd: yes # RHEL-07-030511 +security_rhel7_audit_gpasswd: yes # RHEL-07-030512 +security_rhel7_audit_chage: yes # RHEL-07-030513 +security_rhel7_audit_userhelper: yes # RHEL-07-030514 +security_rhel7_audit_su: yes # RHEL-07-030521 +security_rhel7_audit_sudo: yes # RHEL-07-030522 +security_rhel7_audit_sudo_config_changes: yes # RHEL-07-030523 +security_rhel7_audit_newgrp: yes # RHEL-07-030524 +security_rhel7_audit_chsh: yes # RHEL-07-030525 +security_rhel7_audit_sudoedit: yes # RHEL-07-030526 +security_rhel7_audit_mount: yes # RHEL-07-030530 +security_rhel7_audit_umount: yes # RHEL-07-030531 +security_rhel7_audit_postdrop: yes # RHEL-07-030540 +security_rhel7_audit_postqueue: yes # RHEL-07-030541 +security_rhel7_audit_ssh_keysign: yes # RHEL-07-030550 +security_rhel7_audit_pt_chown: yes # RHEL-07-030560 +security_rhel7_audit_crontab: yes # RHEL-07-030561 +security_rhel7_audit_pam_timestamp_check: yes # RHEL-07-030630 +security_rhel7_audit_init_module: yes # RHEL-07-030670 +security_rhel7_audit_delete_module: yes # RHEL-07-030671 +security_rhel7_audit_insmod: yes # RHEL-07-030672 +security_rhel7_audit_rmmod: yes # RHEL-07-030673 +security_rhel7_audit_modprobe: yes # RHEL-07-030674 +security_rhel7_audit_account_actions: yes # RHEL-07-030710 +security_rhel7_audit_rename: yes # RHEL-07-030750 +security_rhel7_audit_renameat: yes # RHEL-07-030751 +security_rhel7_audit_rmdir: yes # RHEL-07-030752 +security_rhel7_audit_unlink: yes # RHEL-07-030753 +security_rhel7_audit_unlinkat: yes # RHEL-07-030754 ## Authentication (auth) # Disallow logins from accounts with blank/null passwords via PAM. diff --git a/tasks/rhel7stig/auditd.yml b/tasks/rhel7stig/auditd.yml index 4945d6f2..824ae3cd 100644 --- a/tasks/rhel7stig/auditd.yml +++ b/tasks/rhel7stig/auditd.yml @@ -13,6 +13,14 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Verify that auditd.conf exists + stat: + path: /etc/audit/auditd.conf + register: auditd_conf + check_mode: no + tags: + - always + - name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited lineinfile: dest: /etc/audisp/audisp-remote.conf @@ -20,6 +28,7 @@ line: "remote_server = {{ security_audisp_remote_server }}" when: - security_audisp_remote_server is defined + - auditd_conf.stat.exists notify: - restart auditd tags: @@ -34,9 +43,69 @@ line: "enable_krb5 = yes" when: - security_audisp_enable_krb5 is defined + - auditd_conf.stat.exists notify: - restart auditd tags: - medium - auditd - RHEL-07-030331 + +- name: Get valid system architectures for audit rules + set_fact: + auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}" + check_mode: no + tags: + - always + +- name: Remove old RHEL 6 audit rules file + file: + path: /etc/audit/rules.d/osas-auditd.rules + state: absent + when: + - auditd_conf.stat.exists + notify: + - generate auditd rules + tags: + - always + +- name: Deploy rules for auditd based on STIG requirements + template: + src: osas-auditd-rhel7.j2 + dest: /etc/audit/rules.d/osas-auditd-rhel7.rules + when: + - auditd_conf.stat.exists + notify: + - generate auditd rules + tags: + - auditd + - RHEL-07-030492 + - RHEL-07-030510 + - RHEL-07-030511 + - RHEL-07-030512 + - RHEL-07-030513 + - RHEL-07-030514 + - RHEL-07-030521 + - RHEL-07-030522 + - RHEL-07-030523 + - RHEL-07-030524 + - RHEL-07-030525 + - RHEL-07-030526 + - RHEL-07-030530 + - RHEL-07-030531 + - RHEL-07-030540 + - RHEL-07-030541 + - RHEL-07-030550 + - RHEL-07-030560 + - RHEL-07-030561 + - RHEL-07-030630 + - RHEL-07-030670 + - RHEL-07-030671 + - RHEL-07-030672 + - RHEL-07-030673 + - RHEL-07-030674 + - RHEL-07-030750 + - RHEL-07-030751 + - RHEL-07-030752 + - RHEL-07-030753 + - RHEL-07-030754 diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index 5e3dd054..8b0ab534 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -27,6 +27,10 @@ when: - not check_mode | bool +# Package installations and removals must come first so that configuration +# changes can be made later. +- include: packages.yml + # Package managers are managed first since the changes in these tasks will # affect the remainder of the tasks in the role. - include: apt.yml @@ -39,10 +43,10 @@ # each file are tagged with the same name (for example, tasks in `auth.yml` # are tagged with `auth`). Also, the tag name matches up with the "STIG # Controls by Tag" section of the role documentation. +- include: auditd.yml - include: auth.yml - include: file_perms.yml - include: graphical.yml -- include: packages.yml - include: sshd.yml - name: Remove the temporary directory diff --git a/templates/osas-auditd-rhel7.j2 b/templates/osas-auditd-rhel7.j2 new file mode 100644 index 00000000..3a87ddba --- /dev/null +++ b/templates/osas-auditd-rhel7.j2 @@ -0,0 +1,179 @@ +{% if security_rhel7_audit_account_access | bool %} +# RHEL-07-030492 - The operating system must generate audit records for all +# successful account access events. +-w /var/log/lastlog -p wa -k RHEL-07-030492 +{% endif %} + +{% if security_rhel7_audit_passwd_command | bool %} +# RHEL-07-030510 - All uses of the passwd command must be audited. +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030510 +{% endif %} + +{% if security_rhel7_audit_unix_chkpwd | bool %} +# RHEL-07-030511 - All uses of the unix_chkpwd command must be audited. +-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030511 +{% endif %} + +{% if security_rhel7_audit_gpasswd | bool %} +# RHEL-07-030512 - All uses of the gpasswd command must be audited. +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030512 +{% endif %} + +{% if security_rhel7_audit_chage | bool %} +# RHEL-07-030513 - All uses of the chage command must be audited. +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030513 +{% endif %} + +{% if security_rhel7_audit_userhelper | bool %} +# RHEL-07-030514 - All uses of the userhelper command must be audited. +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030514 +{% endif %} + +{% if security_rhel7_audit_su | bool %} +# RHEL-07-030521 - All uses of the su command must be audited. +-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030521 +{% endif %} + +{% if security_rhel7_audit_sudo | bool %} +# RHEL-07-030522 - All uses of the sudo command must be audited. +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030522 +{% endif %} + +{% if security_rhel7_audit_sudo_config_changes | bool %} +# RHEL-07-030523 - The operating system must generate audit records containing the full-text recording of modifications to sudo configuration files. +-w /etc/sudoers -p wa -k RHEL-07-030523 +-w /etc/sudoers.d/ -p wa -k RHEL-07-030523 +{% endif %} + +{% if security_rhel7_audit_newgrp | bool %} +# RHEL-07-030524 - All uses of the newgrp command must be audited. +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030524 +{% endif %} + +{% if security_rhel7_audit_chsh | bool %} +# RHEL-07-030525 - All uses of the chsh command must be audited. +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030525 +{% endif %} + +{% if security_rhel7_audit_sudoedit | bool %} +# RHEL-07-030526 - All uses of the sudoedit command must be audited. +-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030526 +{% endif %} + +{% if security_rhel7_audit_mount | bool %} +# RHEL-07-030530 - All uses of the mount command must be audited. +-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030530 +{% endif %} + +{% if security_rhel7_audit_umount | bool %} +# RHEL-07-030531 - All uses of the umount command must be audited. +-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030531 +{% endif %} + +{% if security_rhel7_audit_postdrop | bool %} +# RHEL-07-030540 - All uses of the postdrop command must be audited. +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030540 +{% endif %} + +{% if security_rhel7_audit_postqueue | bool %} +# RHEL-07-030541 - All uses of the postqueue command must be audited. +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030541 +{% endif %} + +{% if security_rhel7_audit_ssh_keysign | bool %} +# RHEL-07-030550 - All uses of the ssh-keysign command must be audited. +{% if ansible_os_family | lower == 'debian' %} +-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030550 +{% else %} +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030550 +{% endif %} +{% endif %} + +{% if security_rhel7_audit_pt_chown | bool and ansible_os_family | lower == 'redhat' %} +# RHEL-07-030560 - All uses of the pt_chown command must be audited. +-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030560 +{% endif %} + +{% if security_rhel7_audit_crontab | bool %} +# RHEL-07-030561 - All uses of the crontab command must be audited. +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030561 +{% endif %} + +{% if security_rhel7_audit_pam_timestamp_check | bool %} +# RHEL-07-030630 - All uses of the pam_timestamp_check command must be audited. +-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F auid!=4294967295 -k RHEL-07-030630 +{% endif %} + +{% if security_rhel7_audit_init_module | bool %} +# RHEL-07-030670 - All uses of the init_module command must be audited. +{% for arch in auditd_architectures %} +-a always,exit -F arch={{ arch }} -S init_module -k RHEL-07-030670 +{% endfor %} +{% endif %} + +{% if security_rhel7_audit_delete_module | bool %} +# RHEL-07-030671 - All uses of the delete_module command must be audited. +{% for arch in auditd_architectures %} +-a always,exit -F arch={{ arch }} -S delete_module -k RHEL-07-030671 +{% endfor %} +{% endif %} + +{% if security_rhel7_audit_insmod | bool %} +# RHEL-07-030672 - All uses of the insmod command must be audited. +-w /sbin/insmod -p x -F auid!=4294967295 -k RHEL-07-030672 +{% endif %} + +{% if security_rhel7_audit_rmmod | bool %} +# RHEL-07-030673 - All uses of the rmmod command must be audited. +-w /sbin/rmmod -p x -F auid!=4294967295 -k RHEL-07-030673 +{% endif %} + +{% if security_rhel7_audit_modprobe | bool %} +# RHEL-07-030674 - All uses of the modprobe command must be audited. +-w /sbin/modprobe -p x -F auid!=4294967295 -k RHEL-07-030674 +{% endif %} + +{% if security_rhel7_audit_account_actions | bool %} +# RHEL-07-030710 - The operating system must generate audit records for all +# account creations, modifications, disabling, and termination events. +-w /etc/group -p wa -k RHEL-07-030710 +-w /etc/passwd -p wa -k RHEL-07-030710 +-w /etc/gshadow -p wa -k RHEL-07-030710 +-w /etc/shadow -p wa -k RHEL-07-030710 +-w /etc/security/opasswd -p wa -k RHEL-07-030710 +{% endif %} + +{% if security_rhel7_audit_rename | bool %} +# RHEL-07-030750 - All uses of the rename command must be audited. +{% for arch in auditd_architectures %} +-a always,exit -F arch={{ arch }} -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030750 +{% endfor %} +{% endif %} + +{% if security_rhel7_audit_renameat | bool %} +# RHEL-07-030751 - All uses of the renameat command must be audited. +{% for arch in auditd_architectures %} +-a always,exit -F arch={{ arch }} -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030751 +{% endfor %} +{% endif %} + +{% if security_rhel7_audit_rmdir | bool %} +# RHEL-07-030752 - All uses of the rmdir command must be audited. +{% for arch in auditd_architectures %} +-a always,exit -F arch={{ arch }} -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030752 +{% endfor %} +{% endif %} + +{% if security_rhel7_audit_unlink | bool %} +# RHEL-07-030753 - All uses of the unlink command must be audited. +{% for arch in auditd_architectures %} +-a always,exit -F arch={{ arch }} -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030753 +{% endfor %} +{% endif %} + +{% if security_rhel7_audit_unlinkat | bool %} +# RHEL-07-030754 - All uses of the unlinkat command must be audited. +{% for arch in auditd_architectures %} +-a always,exit -F arch={{ arch }} -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030754 +{% endfor %} +{% endif %}